Stay on guard

Attempts at hacking your server can be prevented in three simple steps, says EB columnist David Hathiramani

At A Suit That Fits, we’re busy running a campaign called A Suit For Success, asking the men and women of Britain to donate their unwanted suits so that we can give them to disadvantaged unemployed young people to help them when they’re trying to find work. The suits will be given to our three partners: Amber and Centrepoint – both of which help young people disadvantaged as a result of homelessness – and Right Futures, which assists young people who are not in employment, education or training to find their first long-term role. We’re collecting donations until May 31 and, as a thank you, people who donate their suit will get a £50 tailoring voucher. It’s great to have lots of people visiting our website to find out more about the campaign – but a few months back we had some visitors that weren’t quite so welcome.

Earlier this year, the load to the A Suit That Fits servers from the internet increased significantly. Unfortunately, normal traffic to our website hadn’t increased significantly (and consequently our business hadn’t doubled) but our servers seemed to be under constant attack from the outside world.

Knowing that your servers are being subjected to attacks is quite nerve-wracking. The first question that you ask yourself is ‘who is trying to hack us?’ And the answer almost certainly isn’t what you would think: the attempts were automated.

Most of these attempts are trying to hack your server in such a way that they can control it, using it to hack other servers and gain control of them. Your server can continue doing what it normally does and be one of these drones without you even knowing it. Then, at the point the hackers want to do something like attack a government body or big institution, they can simply tell your server to join in. This is what’s known as a ‘botnet’. It’s not just servers – this can even happen to your home computer.

If your server is hacked, a lot of the time the thing that has hacked it isn’t actually interested in your server at all – they are just interested in turning your server into another attacker. However, you should be doing everything to ensure that you are protected. If you can get hacked by an automated system, you can definitely get hacked by a human.

So here are a few basic tips on how you can start thinking about protecting yourself:

Passwords

Having complex passwords seems like a bit of a security cliché but, in fact, hacking into systems based on a password is a very straightforward way of doing it. You should ensure that any administrator to your system has a secure password. A ‘brute force’ password attack is where common passwords are attempted again and again until one works. In fact, I was recently reading about an attack of exactly this kind on a series of Wordpress-powered blogs.

Keep your system up to date

Whatever system you are using, keep it up to date. If you are using an open-source (free) system, it can be easy for hackers to find vulnerabilities – they can actually look at the source code and reverse engineer a hack that will work on it. So you must keep your eyes open for updates continually.

With proprietary software, always install the updates that are recommended for security purposes. Hackers seem to hate the big companies and constantly try to hack their software; they are usually very quick at providing a fix for the systems but, if you are not protected, you will be targeted.

Sanitise

If you are developing your software in house, there is usually less risk of being hacked - standard hacks will not work, and reverse engineering can’t happen as your software code isn’t posted publicly. However, one thing to keep in mind with the team that is developing it is user inputs. Anywhere on your system where a user can input something (such as their address details – or even a search box) is a risk. You have to make sure that all of the data that the user enters is properly screened and filtered – this is called sanitising the data. If this is properly done, users will not be able to input data that could be used to attempt to hack into either your database or your system.

These three tips are by no means comprehensive; if you have the budget, you would be wise to have a security firm work alongside you and help protect you from all of the risks.

The internet provides lots of opportunities for all sorts of people. Unfortunately, there are some that take advantage of this and you have to make sure that you minimise your risk if you are targeted.

About the Author

He may be co-founder of trendy suit retailer A Suit That Fits, but Hathiramani is also something of a closet geek. And the Imperial College Computing graduate is here to impart some of his wisdom about setting up an internet business.